2018-06-13 - NECURS BOTNET MALSPAM USES .IQY FILE TO PUSH FLAWED AMMYY RAT

ASSOCIATED FILES:

  • 2018-06-13-Necurs-Botnet-malspam-tracker.csv   (2,008 bytes)
  • 2018-06-13-Necurs-Botnet-malspam-14-email-examples.txt   (22,981 bytes)
  • 2018-06-13-Necurs-Botnet-malspam-infection-traffic-for-Flawed-Ammyy.pcap   (946,642 bytes)
  • CPY00006073.iqy   (36 bytes)
  • cmd_.exe   (220,616 bytes)
  • wsus.exe   (664,352 bytes)

NOTES:


Shown above:  Flow chart for today's activity.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domain and URL:

 

EMAIL


Shown above:  Screenshot of the spreadsheet tracker.

 


Shown above:  Screenshot from one of the emails.

 

EMAILS COLLECTED:

 


Shown above:  The attached IQY file when double-clicked.

 


Shown above:  Actual contents of the attached IQY file shown in a text editor.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

 


Shown above:  First HTTP GET request after opening the IQY file in Microsoft Excel.

 


Shown above:  The second HTTP GET request returned the script for Powershell.

 


Shown above:  The third HTTP GET request returned an initial Windows executable.

 


Shown above:  The fourth HTTP GET request returned a Flawed Ammyy executable, but it was encrypted as it came over the network.

 


Shown above:  Callback traffic caused by the Flawed Ammyy executable.

 

FILE HASHES

MALSPAM ATTACHMENTS:

INITIAL EXECUTABLE:

FOLLOW-UP EXECUTABLE:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.